Add auth to load sequence for photos
This allows private photos to load on any page. Previously auth depended on some other thing like the enclosing page triggering the authentication of the specific contact for the photo owner.
This commit is contained in:
Dean Townsley
parent
cd2f390df6
commit
b5e195b415
|
|
@ -16,6 +16,7 @@ use Friendica\Database\DBA;
|
|||
use Friendica\Database\DBStructure;
|
||||
use Friendica\Model\Storage\IStorage;
|
||||
use Friendica\Object\Image;
|
||||
use Friendica\Protocol\DFRN;
|
||||
use Friendica\Util\DateTimeFormat;
|
||||
use Friendica\Util\Network;
|
||||
use Friendica\Util\Security;
|
||||
|
|
@ -133,8 +134,16 @@ class Photo extends BaseObject
|
|||
if ($r === false) {
|
||||
return false;
|
||||
}
|
||||
$uid = $r["uid"];
|
||||
|
||||
$sql_acl = Security::getPermissionsSQLByUserId($r["uid"]);
|
||||
// This is the first place, when retrieving just a photo, that we know who owns the photo.
|
||||
// Make sure that the requester's session is appropriately authenticated to that user
|
||||
// otherwise permissions checks done by getPermissionsSQLByUserId() won't work correctly
|
||||
$r = DBA::selectFirst("user", ["nickname"], ["uid" => $uid], []);
|
||||
// this will either just return (if auth all ok) or will redirect and exit (starting over)
|
||||
DFRN::autoRedir(self::getApp(), $r["nickname"]);
|
||||
|
||||
$sql_acl = Security::getPermissionsSQLByUserId($uid);
|
||||
|
||||
$conditions = [
|
||||
"`resource-id` = ? AND `scale` <= ? " . $sql_acl,
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user